planning-with-files
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes a vulnerability surface for indirect prompt injection through its core file-based workflow. \n
- Ingestion points: Untrusted data enters the agent's context through research findings stored in
notes.mdand tool/system errors logged intask_plan.md(as outlined in SKILL.md and examples.md). \n - Boundary markers: The provided templates for persistent files lack delimiters or instructions for the agent to distinguish between its own structured planning and untrusted external content. \n
- Capability inventory: The skill requires continuous use of
read,write, andedittool calls on the local filesystem to maintain its 'working memory'. \n - Sanitization: No instructions are provided for sanitizing or escaping data gathered from external sources before it is committed to these persistent files. \n
- Vulnerability: Principle 2 ('Attention Manipulation Through Repetition') in reference.md specifically instructs the agent to re-read the plan file before every decision to 'refresh goals', which brings any malicious instructions embedded in the logs directly into the agent's active prompt window.
Audit Metadata